MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bd8ecd59bcde1344767296b5c9760da3eef144570382cbbde20539dcdf1e1ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	0bd8ecd59bcde1344767296b5c9760da3eef144570382cbbde20539dcdf1e1ae
SHA3-384 hash:	ec46755a3355a551908813bd34cc8ef0c96ed77aa580a8c55a4e3b6522018ae1539e52a8dcf02e5762afd18206114fcf
SHA1 hash:	4e84872d3f1c263d9ec1712539a562fdce617d63
MD5 hash:	0878a443fae6afff3945b2849d9a805f
humanhash:	jersey-beer-hotel-fifteen
File name:	DN#20250313.arj
Download:	download sample
Signature	Formbook Create hunting rule
File size:	719'947 bytes
First seen:	2025-03-13 11:58:46 UTC
Last seen:	Never
File type:	arj
MIME type:	application/x-rar
ssdeep	12288:q4t2J0Z9yi+lif898lA5hL74auYGEHbZjkAlc2U0l48BtbXI08wDT3kOc7:Bt2J0Z9yiAiW8+ft5p1jkAlc2UIxtpkd
TLSH	T1B3E423523A742BD1EC841F760560EB2299D33D5E30EACC695FE04F4990A8E731E527BB
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	arj FormBook INVOICE

cocaman

Malicious email (T1566.001)
From: "Bui Thao Van <opal@sanosplus.com>" (likely spoofed)
Received: "from water.sanosplus.com (water.sanosplus.com [193.222.96.153]) "
Date: "13 Mar 2025 11:57:46 +0000"
Subject: "Invoice#202503132 (Multiple)"
Attachment: "DN#20250313.arj"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	AAHiVVNIKQESryT.exe
File size:	975'360 bytes
SHA256 hash:	0d173d647ff21c983845365edb6cfaab515479dd8eb6cb47f3c2295afffe1004
MD5 hash:	3e6924743e1faa6c6113af873fd2382f
MIME type:	application/x-dosexec
Signature	Formbook

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d2d2523962f1a6f470ce2f

Tags:

shell virus msil

Verdict:

Suspicious

Labled as:

Trojan.Kryptik

Link:

https://www.hybrid-analysis.com/sample/0bd8ecd59bcde1344767296b5c9760da3eef144570382cbbde20539dcdf1e1ae

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0bd8ecd59bcde1344767296b5c9760da3eef144570382cbbde20539dcdf1e1ae/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-03-13 11:58:50 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bpmozvm3zxqtir3hffvvzf3a3i7o6fcfoa4czo66ebjz3tpr4gxa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0bd8ecd59bcde1344767296b5c9760da3eef144570382cbbde20539dcdf1e1ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)